Analysis
-
max time kernel
75s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-11-2022 09:44
Static task
static1
Behavioral task
behavioral1
Sample
1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
Resource
win10v2004-20220812-en
General
-
Target
1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe
-
Size
11.7MB
-
MD5
51f468fa1f11ef59ad7fd5f339906661
-
SHA1
03887d2684aff18df484ca39c8f070a0bc725e4a
-
SHA256
1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165
-
SHA512
493e7d68f3ffdb6e9b0587457370253f72e3d6b2c6fa3bafb1e96dcb36db0e6b78b2a52bcf86c9b42f1bf260da639a1e88ca13d8a43ad9826ed4f680e9c3ba7f
-
SSDEEP
196608:GPGZKb8EO3ZqySJwUWI/YfH5r7aNXl+MJvZGNod9ldozfoKF2rqIUlHRpSiC:voYZqySi7bfH5qNXzvZLHdozfSOlxpBC
Malware Config
Signatures
-
Babadeda Crypter 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000500000001a3de-84.dat family_babadeda -
Executes dropped EXE 2 IoCs
Processes:
irsetup.exealcodec.exepid Process 1452 irsetup.exe 740 alcodec.exe -
Processes:
resource yara_rule behavioral1/files/0x000b0000000122dd-55.dat upx behavioral1/files/0x000b0000000122dd-58.dat upx behavioral1/files/0x000b0000000122dd-57.dat upx behavioral1/files/0x000b0000000122dd-56.dat upx behavioral1/files/0x000b0000000122dd-60.dat upx behavioral1/memory/1452-66-0x0000000000250000-0x0000000000638000-memory.dmp upx behavioral1/files/0x000b0000000122dd-67.dat upx behavioral1/files/0x000b0000000122dd-71.dat upx behavioral1/memory/1452-80-0x0000000000250000-0x0000000000638000-memory.dmp upx -
Loads dropped DLL 14 IoCs
Processes:
1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exeirsetup.exealcodec.exepid Process 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 1452 irsetup.exe 1452 irsetup.exe 1452 irsetup.exe 1452 irsetup.exe 1452 irsetup.exe 1452 irsetup.exe 1452 irsetup.exe 1452 irsetup.exe 1452 irsetup.exe 740 alcodec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 10 IoCs
Processes:
irsetup.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Creative Labs Al32 Codec\\Filters\\LC.dll" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32\ThreadingModel = "both" irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32 irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Creative Labs Al32 Codec\\Filters\\LC.dll" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\ = "Elecard LC" irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66}\InprocServer32 irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F} irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\ = "Elecard LC" irsetup.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{13DEF622-983C-4FA4-91CD-238C72DE4F3F}\InprocServer32\ThreadingModel = "both" irsetup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{08C10075-CA5C-4EDE-A033-AD28827A2F66} irsetup.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
irsetup.exepid Process 1452 irsetup.exe 1452 irsetup.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exeirsetup.exedescription pid Process procid_target PID 368 wrote to memory of 1452 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 26 PID 368 wrote to memory of 1452 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 26 PID 368 wrote to memory of 1452 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 26 PID 368 wrote to memory of 1452 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 26 PID 368 wrote to memory of 1452 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 26 PID 368 wrote to memory of 1452 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 26 PID 368 wrote to memory of 1452 368 1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe 26 PID 1452 wrote to memory of 740 1452 irsetup.exe 27 PID 1452 wrote to memory of 740 1452 irsetup.exe 27 PID 1452 wrote to memory of 740 1452 irsetup.exe 27 PID 1452 wrote to memory of 740 1452 irsetup.exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe"C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe"C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1810466 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\1f53d6f4fb02c8663b9d377570953d07c56df297674b7c3847d1697f0e5f8165.exe" "__IRCT:3" "__IRTSS:0" "__IRSID:S-1-5-21-999675638-2867687379-27515722-1000"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452 -
C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe"C:\Users\Admin\AppData\Roaming\Creative Labs Al32 Codec\alcodec.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:740
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
Filesize
859KB
MD57d48ba5bfc96796ab7dc48f6764aec44
SHA1bec9f2d46ad903fdbf66a92aeb95c6da1d29441a
SHA2564d8fa3c825223e76c1ec3a002ff10208a3d3a91366de8472d3afa61fdf3e0ab8
SHA51271914f9266aca04de7e01d04fc7c213a82bb082968e4b8e88cc0e9bf765cb5e1d40a89cc994c03569533ec1355497e853a21a1ac22ae098de8a686241235ce1f
-
Filesize
3.5MB
MD5f387a40e95f63b5647beecdd9c4bf80e
SHA16d3e94f983eb4260e828048f464febfe80fdc5cb
SHA256f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118
SHA51249ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b
-
Filesize
17.1MB
MD53399513c46e46661a9d6c59ec92aefe7
SHA1696d40c6c74d5fdffe60880a454dfe69fd5400cb
SHA256a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3
SHA512f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
1.3MB
MD5ac23d03c4b8d531016a3c1ebfa2bc91c
SHA111383627d5515ed2257f594db7fbce3a4b9106f8
SHA2560ddd10f3c8a3268237117f08a94c52ead801a76286bb76d0f521b56689801d06
SHA512bb649ab787a05dba410ce43a592b7f122c71f1fdc69bbb8789c57a3e64018189eebb9b46669a2d6a1b156818bb59beed130aeae6e1928108dee16168445659c1
-
Filesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
Filesize
76KB
MD56316c4082cacf8f3f4f22daef56cb15c
SHA1cea3de90b20396b092797ec8c7e241e822c8faed
SHA2565594b08c79a4d188a674713011cd516618fa36d2f988f7d353fb3370939a4062
SHA512e1e0a6440f91b208b61775e30d8fc1be299a298e00ed564ca7c74fa8728738af66e6c3c0805553abbc4a8d2838cd21bfde61ac2322fff4e62ac4d6796a0821bc
-
Filesize
3.5MB
MD5f387a40e95f63b5647beecdd9c4bf80e
SHA16d3e94f983eb4260e828048f464febfe80fdc5cb
SHA256f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118
SHA51249ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b
-
Filesize
3.5MB
MD5f387a40e95f63b5647beecdd9c4bf80e
SHA16d3e94f983eb4260e828048f464febfe80fdc5cb
SHA256f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118
SHA51249ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b
-
Filesize
3.5MB
MD5f387a40e95f63b5647beecdd9c4bf80e
SHA16d3e94f983eb4260e828048f464febfe80fdc5cb
SHA256f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118
SHA51249ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b
-
Filesize
3.5MB
MD5f387a40e95f63b5647beecdd9c4bf80e
SHA16d3e94f983eb4260e828048f464febfe80fdc5cb
SHA256f607c5c57a1dcfbf8f674519bd68358d147a93458ae18549c4eeea775d179118
SHA51249ff23b2a024de3aa8384c5bd7743038af6c714d82deed2bf839e292ad7d188c220ed792de75f5b42d7da40a955ed78ceb4628100d8385de4ff149377dcc3e2b
-
Filesize
17.1MB
MD53399513c46e46661a9d6c59ec92aefe7
SHA1696d40c6c74d5fdffe60880a454dfe69fd5400cb
SHA256a545d9fdff40e69b99b5f4a118b43666ce6c4f63aec5ca6316b8749c68286eb3
SHA512f3d3eb2491ff640830773dc2e536a8ad196f06a89075c7cd041467a1d08860232a35fcc2da8a20420f4003eb68ca06a66128d73ebd3dbf4a371e5deb4de54ce9
-
Filesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87
-
Filesize
326KB
MD5e7a789232ef503dcb4929791673009a3
SHA18bc28bce4c9d8b4a6e360100441ba54a878de4c1
SHA25689daa79b558055f6f893abf38a0f17d3e1e0193d59dafbdf98d72d4e5961c2a1
SHA5126439a2ec5e9d486c15a37a736bc8d36d8e5f6ecb6a354d0fdd7efc9dccd3fb6bdb208a051b0d81f101669169826e07f9b4ddd79259c79c1e03856af5a9442b87